1. Field of the Invention
The present invention relates in general to computer systems, and more specifically to managing security events that occur in a computing environment.
2. Description of the Related Art
In today's computing environment, threats to the security of computer systems are increasing both in frequency and in complexity. Unfortunately, an organization can lose assets, time, and even customers due to threats that successfully breach its computing environment or that exploit flaws in its information infrastructure.
It would not be unusual for a large installation to have more than two thousand devices included in the security of the network. The timely identification and resolution of security incidents is imperative. However, effectively handling the increasing number of perimeter sources and/or applications and the increasing load of message packets generated from the devices can be overwhelming. Moreover, the ever-growing volumes of data can mask suspicious activity, or limit its detection in a timely fashion.
A conventional database-centric architecture requirements multiple databases, and relies on database mapping to obtain vulnerability information, which affects database performance and further cannot be readily leveraged, such as in reports. This also affects the ability to scale up the architecture to very large environments, since data tends to be accessed through a central point. A representative conventional database-centric architecture is illustrated in the block diagram of FIG. 1. Generally these are set up in a hierarchical architecture, with multiple databases 105, 115, 119 distributed throughout the system to store various security event information. As security events are detected in the system, security event information is stored locally throughout the architecture, such as at each of several local computers 121, each of which can have an event manager process 117 and a database 119 of local security events. Upper level computers 111 can receive information regarding security events from various collections of local computers 121, can process the information at a security event manager 113, and each can store security event information at a local database 115. A divisional manager 125 can manage 123 the upper level computers 111. A user can access security information via a master console manager 101, which includes its manager processing 103 and a local database 105. Alternatively, users can access subsets of security information via divisional consoles 107, which include manager processing 109 and can access the databases of subsets of security events.
The database in a database-centric architecture inherently becomes the bottleneck to performance and scalability. For example, screen refreshes, correlation analyses, and queries require database reads, inserts, or look ups. The amount of users can affect the database's ability to respond in real time when operating at high rates of speed. Unfortunately, database-centric approaches cannot effectively handle event bursts such as can occur during an attack, because the database is relied on for many aspects of event management. Other performance issues can result as well.